Geoff Chappell, Software Analyst
The BOOT_ENTROPY_NT_RESULT structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemBootEntropyInformation (0x75).
Note that there can be at most one successful call and only then while the kernel initialises. The boot entropy information is obtained by the loader and is passed to the kernel via the BootEntropyResult member of the LOADER_PARAMETER_EXTENSION. As provided by the loader, it gets cleared with null bytes when queried else before the kernel frees the LOADER_PARAMETER_BLOCK in phase 1 of initialisation.
The BOOT_ENTROPY_NT_RESULT structure is not documented. Neither is its substructure, BOOT_ENTROPY_SOURCE_NT_RESULT, whose layout is also given below.
These structures are closely related, however, to a BOOT_ENTROPY_LDR_RESULT and BOOT_ENTROPY_SOURCE_LDR_RESULT that are defined in the ARC.H file that Microsoft disclosed in a Windows Driver Kit (WDK) for Windows 10. The LDR results are how the loader reports its boot entropy information to the kernel, and the NT results are the kernel’s report through its native API. All these structures are long gone even when the kernel finishes its initialisation, let alone before any execution in user mode: that any are defined in a header that’s in a subdirectory of a directory named “um”, as if for user-mode programming in contrast to the “km” of kernel-mode programming, may indicate that the disclosure is an oversight.
The BOOT_ENTROPY_NT_RESULT is 0x0378 bytes in both 32-bit and 64-bit Windows.
BOOT_ENTROPY_SOURCE_NT_RESULT EntropySourceResult ;
UCHAR SeedBytesForCng [BOOT_SEED_BYTES_FOR_CNG];
The SeedBytesForCng array is 0x30 bytes: BOOT_SEED_BYTES_FOR_CNG is defined in ARC.H. The only difference between BOOT_ENTROPY_NT_RESULT and the published BOOT_ENTROPY_LDR_RESULT is that the latter continues with a 1024-byte array named RngBytesForNtoskrnl. These are indeed just for the kernel to use for initialising its own random-number generation (and for the kernel to clear when done).
The BOOT_ENTROPY_SOURCE_NT_RESULT is 0x68 bytes in both 32-bit and 64-bit Windows. While it seems to be used nowhere else, it may be as well presented here:
UCHAR EntropyData [BOOT_ENTROPY_SOURCE_DATA_SIZE];
The EntropyData array is 0x40 bytes: BOOT_ENTROPY_SOURCE_DATA_SIZE is another ARC.H definition, as are the two enumerations. The following values are defined for BOOT_ENTROPY_SOURCE_ID:
and for BOOT_ENTROPY_SOURCE_RESULT_CODE:
A comment immediately before the definitions in ARC.H talks of repetition in a header named NTEXAPI.H which Microsoft does not publish.